Next steps (2025): migrating to cilium/ebpf, port to Qt6 · evilsocket/opensnitch · Discussion #1222 (original) (raw)

We have two important tasks ahead of us to keep opensnitch up to date.

[ ✔️ ] eBPF

Up until now we've been using https://github.com/iovisor/gobpf/ for intercepting events from the kernel, and it has worked very well.
But unfortunately it's deprecated since 2021 (iovisor/gobpf#304), which means that some of the known issues and limitations won't be fixed:

• When resuming from suspend state, intercepted events are not deleted from the kernel, which causes the maps to be filled up, leading to not be able to intercept or save new events. Also, BPF_MAP_TYPE_PERF_EVENT_ARRAY behaves erratic in this scenario, not sending all the intercepted events to user-space. a7e64b0 unknown process connecting on port 443... ipv6/networkmanager/latest git opensnitch.. systemd-resolved, firefox/firejail? #834 (reply in thread))
• There's no support for BPF_MAP_TYPE_RINGBUF, BPF_LSM and other features. In the short term, support for ringbuffers is interesting because the performance is superior (https://nakryiko.com/posts/bpf-ringbuf/).
• There's an issue in aarch64, where the intercepted events are not sent correctly to user-space.
• It uses a custom bpf_map_def struct to define maps. Not a big deal, but it has risen concerns and doubts among some users.

So after evaluating some options, I've migrated the code from gobpf to github.com/cilium/ebpf.

The results so far are:

• The issue resuming from suspend state is gone.
• It supports all the latest ebpf features, and I guess it'll be kept updated with futures changes.
• There're no issues on aarch64 (there're some issues on i686 and armhf though, that we'll have to investigate or ask for help. Anyway, network interception works in these archs).
• It's a pure Golang library, which in theory should had better performance than gopbf, which uses C bindings.
  (If we also get rid of the libnetfilter_queue library in favor of go-nfqueue, we could be more portable (android, embedded devices, etc.).)
• BPF_MAP_TYPE_RINGBUF is less likely to lose events under high demand.
• Some (hardened) kernels mount debugfs under /sys/kernel/tracing/ instead of /sys/kernel/debug/tracing. We used to fail adding the kprobes in these environments, but with the Cilium lib this is no longer a problem.

More testing is needed, but it looks promising.

[ ✔️ ] Qt6

We've been using PyQt5 for the GUI since at least 1.0.x version. But as Qt5 entered EoS some years ago, a lot of distros have started to deprecate it.

The concerning news regarding OpenSnitch is that Ubuntu plans to remove Qt5 from Ubuntu 25/26 https://discourse.ubuntu.com/t/removing-qt-5-from-ubuntu-before-the-release-of-26-04-lts/49296 , https://www.phoronix.com/news/Ubuntu-Hopes-Removing-Qt-5.

Probably other distros will remove it earlier. NixOS for example asked to port the GUI to Qt6 some time go.

This means, that it won't be possible to install the OpenSnitch GUI on old distros, like LinuxMint 17 to 21, Ubuntu 16 to 22 ... unless you install PyQt5 manually via pip. Or well, we make the GUI compatible with PyQt5 and PyQt6.

There's no estimation for this task yet. Done: e5d1702

https://www.pythonguis.com/faq/pyqt5-vs-pyqt6/